Overview

overview

10

Static

static

pvRnUbWwToDTcwg.exe

windows7_x64

10

pvRnUbWwToDTcwg.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    29-10-2021 10:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pvRnUbWwToDTcwg.exe

  • Size

    519KB

  • MD5

    8e07e2f350449f748eb0d1a9cde22180

  • SHA1

    6e453492ae09c770dd23bc4836c53b7bf7d505d0

  • SHA256

    f83cdf1780fcb5525b353125751e8495c5d372d6fbd341b06a60f05ac2de2160

  • SHA512

    8d730e1ae09b47e64a8a1c1e522f3bb7f1a50d1e27436bdd45ecb56348433c8605f0e668d09c2bf9b65a275b7426c31ab2afb6579119db007a7787079128fdfb

Score
10/10
formbookpn4rratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pn4r

C2

http://www.wexchange.money/pn4r/

Decoy

mymicroreader.com

rpttoday.com

covid-testiranje.com

trendismon.com

xtoearn.com

themiraclemamma.com

reebok-technology.store

naionics.com

nuatierra.com

tarynrenee.com

tessstrachey.xyz

ptarmigan.xyz

publistom.com

hostingforyou.online

padellacentral.com

vp0y0x.icu

theultimatewhisper.com

fashionbrandsweek.com

soltechwebdesign.site

proteinakua.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Users\Admin\AppData\Local\Temp\pvRnUbWwToDTcwg.exe
      "C:\Users\Admin\AppData\Local\Temp\pvRnUbWwToDTcwg.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:760
      • C:\Users\Admin\AppData\Local\Temp\pvRnUbWwToDTcwg.exe
        "C:\Users\Admin\AppData\Local\Temp\pvRnUbWwToDTcwg.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4580
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4492
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\pvRnUbWwToDTcwg.exe"
        3⤵
          PID:4552

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/760-117-0x0000000005860000-0x0000000005861000-memory.dmp
      Filesize

      4KB

      Download
    • memory/760-118-0x0000000005400000-0x0000000005401000-memory.dmp
      Filesize

      4KB

      Download
    • memory/760-119-0x0000000005380000-0x0000000005381000-memory.dmp
      Filesize

      4KB

      Download
    • memory/760-120-0x00000000056C0000-0x00000000056C6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/760-121-0x0000000005360000-0x000000000585E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/760-122-0x0000000007100000-0x0000000007101000-memory.dmp
      Filesize

      4KB

      Download
    • memory/760-123-0x00000000071A0000-0x00000000071F0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/760-115-0x0000000000AC0000-0x0000000000AC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2712-129-0x00000000026C0000-0x0000000002782000-memory.dmp
      Filesize

      776KB

      Download
    • memory/2712-136-0x0000000005500000-0x0000000005638000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4492-133-0x0000000004A90000-0x0000000004DB0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/4492-130-0x0000000000000000-mapping.dmp
      Download
    • memory/4492-131-0x0000000001320000-0x0000000001347000-memory.dmp
      Filesize

      156KB

      Download
    • memory/4492-132-0x0000000000810000-0x000000000083F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4492-135-0x00000000047F0000-0x0000000004883000-memory.dmp
      Filesize

      588KB

      Download
    • memory/4552-134-0x0000000000000000-mapping.dmp
      Download
    • memory/4580-127-0x00000000015D0000-0x00000000018F0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/4580-128-0x0000000001590000-0x00000000015A4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/4580-125-0x000000000041F110-mapping.dmp
      Download
    • memory/4580-124-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download